We have now gotten to the third article in our Microsoft PKI quick guide four part series. In our first article we gave you a quick overview on how to prepare and plan your Microsoft PKI. In our second article we went into design mode and looked at some best practice settings. In this article we will get a lot more technical and show you how to install a PKI based on Microsoft Certificate Services in Windows Server 2003.

Installing the PKI

Based on some of the design issues from our previous article, it is time to start the installation of your PKI. Since this is a quick guide, we will cover a few things along the way, even though they actually belong to the design stage. For the rest of this article, we will show you how to install a 2-level hierarchy consisting of an offline root CA and an online issuing CA in the same PKI using best practice methods. However before we start the installation, let us get a few practical things in place.

In figure 1, we have illustrated a best practice validity period for each CA at each level (based on a 3-level hierarchy for a complete overview). The advantage with this model is that it will ensure you always have a consistency for the issued certificates at each level. If you only want to deploy a 2-level hierarchy, simply remove the CA in level-3. The model will still apply.

Figure 1: A best practice validity period for each CA at each level

The other thing you should prepare before we start the installation is a text file called CAPolicy.inf. This file is used to customize your configuration of Windows Certificates Services. In this file, you will find important things such as:

The CDP statement

Certificate renewal settings such as validity period and key size

The links for the CDP and AIA paths

How often the CRL should be published

Create the file using Notepad and save it to %windir%\capolicy.inf (e.g. C:\Windows\capolicy.inf).

We have made this task a lot easier for you, by supplying the files in our step-by-step guides below. With these things in mind, it is time to get technical.

Installing an offline root CA

To install an offline root CA, you will have to complete the following:

Prepare a CAPolicy.inf file

Install Windows Certificate Services

Publish the CRL list

Run the post-Configuration script

Here is how it should be done:

Install a server with Windows Server 2003 Standard Edition incl. SP1 or newer and make sure that it runs as a stand-alone server (i.e. it should not be a member of any domain)

Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)

In Windows Components Wizard, you select Certificates Services and click Next

Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes

Figure 3

In the CA Type field, you click Stand-alone root CA, and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next

Note: It is normal that the Enterprise root CA and Enterprise subordinate CA options cannot be selected, since this server is not member of a domain

Figure 4

Select the CSP you want to use for your offline root CA. For simplicity, we’ve selected the Microsoft Strong Cryptographic Provider v1.0, however you can also select another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

Select the default hash algorithm SHA-1

Set the key length to 4096

Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next

Figure 5

Enter a common name for your root CA, configure the Distinguished name suffix (O=domain, C=local) and set the validity period to 20 years, then click Next

Figure 6

Accept the default suggestion for the certificate database and log files (or change it at will) and click Next

Figure 7

Since this is an offline root CA, there is no need to install IIS (Internet Information Services) and thus the reason why this dialog is displayed. Click OK

Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need these files for the next subordinate CA that will be installed

You should also copy these files to the CDP HTTP location as indicated in the caconfig.inf file listed earlier.

Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt

Figure 11

You are done installing the root CA.

We mentioned earlier that there are good security reasons to keep the root and policy CAs offline, which includes turning them off. Only the issuing CAs should be kept online. Because the root and policy CAs are kept offline, they should not be a member of a domain.

Installing an online issuing enterprise CA

To install an online issuing Enterprise CA, you will have to complete the following:

Prepare a CAPolicy.inf file

Install IIS (Internet Information Services)

Install Windows Certificate Services

Submit the sub CA certificate request to the parent CA

Issue the sub CA certificate

Install the sub CA certificate at the enterprise subordinate CA

Run the post-Configuration script

Publish the CRL list

Here is how you do it:

Install a server with Windows Server 2003 Enterprise Edition incl. SP1 or newer and make sure it is a member of a domain

Make sure that IIS (internet Information Services) has been installed. There is a note to this however. If you really want to do this right, then omit the IIS part. The only caveat doing so, is that you definitely need to know your PKI before you omit the IIS component. The advantage is a more simple setup, and one attack vector less.

Make the necessary parameter replacements in the CAPOlicy.inf file below (highlighted with red)

In Windows Components Wizard, you select Certificates Services and click Next

Figure 13

Notice what the dialog box is displaying. You should not rename the computer once the Windows Certificate Services are installed. Click Yes

In the CA Type field, you click Enterprise subordinate CA and put a checkmark at “Use custom settings to generate the key pair and CA certificate” check box and click Next

Figure 14

Select the CSP you want to use for your issuing CA. For simplicity, we have selected the Microsoft Strong Cryptographic Provider v1.0, however you could also have selected another CSP if you, for example, installed a Hardware Security Module (HSM) and connected the server to the HSM solution, before you started the CA installation procedure.

Select the default hash algorithm SHA-1

Set the key length to 2048

Make sure that both the “Allow this CSP to interact with the desktop” and “Use an existing key” options are not checked. Click Next

Figure 15

Enter a common name for your issuing CA and set the validity period to 5 years, then click Next

Figure 16

Accept the default suggestion for the certificate database and log files (or change at will) and click Next

A CA Certificate Request window is displayed. Select Save the request to a file and enter a path and a filename (the wizard will automatically add a .req extension to the filename). Copy the file to a USB key for later use. Click Next. We will be using this request file later on in this quick guide

Figure 17

Some certificate IIS application components will be added. Click Yes

Figure 18

(Optional) If you have not enabled ASP support in IIS, then the following dialog box is display. Click Yes

Figure 19

You are not quite done yet. As indicated in the dialog box, then you will need to generate a private key for your new issuing CA.

Figure 20

Click OK and continue.

Click Finish

Figure 21

Before you continue, you should publish the certificate and revocation list for your root CA to Active Directory. This is easily done by doing the following:

a. Copy both the *.crt and *.crl files generated during the installation of the root CA to the %systemroot%\system32\certsrv\certenroll folder on the issuing CA server.

b. Run the script below from a command line prompt in the same folder on your issuing CA. You have to run the script as a user who is a member of the Cert Publishers Group in Active Directory (normally someone with domain admin rights).

Figure 22

The script will automatically process the entire filename and complete the needed commands.

Make sure you have the certificate request file generated in Step 12. Log on to the root CA server

Copy %windir%\system32\certsrv\certenroll\*.crt and *.crl to a USB key. You will need to copy these files to your web servers that are being used as Certificate Distribution Points (CDP) using the HTTP protocol. This is the HTTP based CDP URL you defined in the issuing CAs caconfig.inf earlier.

Note:This task should be scheduled and run automatically

Make the necessary parameter replacements in the file below (highlighted in red) and run the file from a command prompt

In this article, we have given you some quick guidelines and best practice advice on how to best implement a PKI consisting of a combination of both offline standalone CAs and enterprise based online issuing CAs. You should know that the script used for publishing the root CAs certificate and CRL file to the local store of the issuing CA and Active Directory needs modifications if you are using a 3-level hierarchy. This is because the policy CA also needs to be published to the local certificate store of our enterprise based issuing CA and also needs to be published to Active Directory.

To a certain extent you may find this third article a bit cumbersome, especially during the implementation of an online issuing CA. But once you try it, you find out that it is really not that difficult to implement a full blown PKI that is both scalable and secure. In our last article in this PKI quick guide series, we will show you how to verify our installation as well as maintain and troubleshoot a PKI using a few simple steps